GDPR Brief: What information can research participants demand under the GDPR?

Research participants enjoy the same rights under the GDPR, generally speaking, as do other individuals whose personal data are processed (collectively known as “data subjects”). The right of access to one’s personal data is the first among a constellation of data-subject rights guaranteed by the GDPR, along with a right to rectification and erasure, among others.

The right of access extends to all personal data which have been collected concerning the data subject who exercises it. It also includes information about the processing, including the purposes for which the data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Access should be available through remote access to a secure system, where possible.

But the right of access is limited in several situations. First, if data have been sufficiently de-identified so that the entity holding them is not in a position to identify the participant, no right of access exists. This is true even if third parties can identify the participant, and the data thus remains personal data. Second, in the context of processing for scientific research purposes, the GDPR also allows the EU or its member states to limit the right of access, among other data subject rights, through legislation when this is necessary to achieve the scientific research purposes. Third, if the entity holding the data is a processor rather than a controller under the GDPR, their duties are oriented more toward assisting the controller in responding to access requests as necessary. Finally, the right of access may be limited if it adversely affects the rights or freedoms of others, including if it would compromise intellectual property rights.

Unless such exceptions eliminate the right of access altogether, an entity subject to the GDPR should have mechanisms in place allowing it to respond appropriately to access requests.

The GDPR’s new right to data portability is closely tied to access. This right will be the subject of a future brief, but in the narrower situations where it applies, it entitles data subjects to receive their data in a structured, commonly used and machine-readable format. For sequencing data, a paper printout of base pairs would likely not meet this standard, whereas a .vcf or .bam file likely would.